The pledge system call forces the current
process into a restricted-service operating mode. A few subsets are available,
roughly described as computation, memory management, read-write operations on
file descriptors, opening of files, and networking. In general, these modes
were selected by studying the operation of many programs using libc and other
such interfaces, and setting promises or
execpromises.

Use of pledge in an application will require
at least some study and understanding of the interfaces called. Subsequent
calls to pledge can reduce the abilities
further, but abilities can never be regained.

A process which attempts a restricted operation is killed with an uncatchable
SIGABRT, delivering a core file if
possible. A process currently running with pledge has state ‘p’
in ps(1) output; a process that was
terminated due to a pledge violation is accounted by
lastcomm(1) with the
‘P’ flag.

A promises value of "" restricts the
process to the _exit(2) system
call. This can be used for pure computation operating on memory shared with
another process.

Passing NULL to
promises or
execpromises specifies to not change the
current value.

Only the FIONREAD,
FIONBIO,
FIOCLEX, and
FIONCLEX operations are allowed by
default. Various ioctl requests are allowed against specific file
descriptors based upon the requests
audio,
bpf,
disklabel,
drm,
inet,
pf,
route,
tape,
tty, and
vmm.

Allows sending of file descriptors using
sendmsg(2). File
descriptors referring to directories may not be passed.

recvfd

Allows receiving of file descriptors using
recvmsg(2). File
descriptors referring to directories may not be passed.

tape

Allow MTIOCGET and
MTIOCTOP operations against tape
drives.

tty

In addition to allowing read-write operations on
/dev/tty, this opens up a variety of
ioctl(2) requests used by tty
devices. If tty is accompanied with
rpath,
revoke(2) is permitted.
Otherwise only the following
ioctl(2) requests are
permitted:

Allows a process to call
execve(2). Coupled with the
proc promise, this allows a process to
fork and execute another program. If
execpromises has been previously set the
new program begins with those promises, unless setuid/setgid bits are set
in which case execution is blocked with
EACCESS. Otherwise the new program
starts running without pledge active, and hopefully makes a new pledge
soon.

Rather than killing the process upon violation, indicate error with
ENOSYS.

Also when pledge is called with higher
promises or
execpromises, those changes will be
ignored and return success. This is useful when a parent enforces
execpromises but an execve'd child has a
different idea.